Data Processing Addendum

CitNOW Group - Standard (October 2023 Edition)

Between Parties:

This Agreement is made between:

The entity identified as “Supplier” on the Order Form(s) (“Supplier”).
The entity identified as the “Customer” on the Order Form(s) (“Customer”).

Introduction

The Supplier is part of and operates within the CitNOW Group. CitNOW Group is a group of companies offering Products and Services to the automotive industry.

As part of the supply of Products and Services, the Supplier will act as the Customer’s data processor. The terms of clauses 1 (Data Protection) and 2 (Consumer Data and Employee Data) within the CitNOW Group Terms and Conditions apply in respect of the parties’ data protection obligations. This addendum is for Customers benefit if they should wish to have a signed Data processing Addendum in place.

The provisions contained within this addendum are very important and require the Customer to put processes in place to ensure the requirements of this Data processing Addendum are satisfied. Please read these provisions carefully. In particular the Customer must ensure, and procure that all Users ensure, prior to transferring any Consumer’s personal data to Supplier through the Products that either:

consent is obtained from all Consumers for their Consumer Data to be uploaded into the Product(s) or otherwise transferred to Supplier; or
that the Customer has clearly identified one or more other lawful basis (as set out in the Data Protection Legislation) which allow for the Consumer Data to be uploaded into the Product(s) or otherwise transferred to Supplier.

Definitions

Terms defined in the Terms and Conditions, Licensing Agreement and/or the Order Form(s) shall, unless otherwise defined herein, have the same meaning in this Data processing Addendum.

Agreement: the contract made between Supplier and the Customer comprising the Order Form(s)(s), the Terms and Conditions and the Licensing Agreement(s).
CitNOW Group: the members of the CitNOW Group of companies, being any entity controlling, controlled by or under common control of Supplier and “control” shall have the meaning given to it in section 1124 of the Corporation Tax Act 2010. All entities shall be listed on the CitNOW Group website at all times.
Consumer: any consumer who is a customer of the Customer in respect of whom personal data is uploaded by a User into the Products.
Consumer Data: means all information, including personal data, relating to a Consumer that is uploaded to the Products or transferred to Supplier by the Customer, including by any User.
Content: the video, still images, audio, graphics, text, messages and other information created by You and uploaded via the Product;
Controller: processor, data subject, personal data, personal data breach, processing and appropriate technical and organisational measures; as defined in the Data Protection Legislation.
Customer: the customer named as such in the Order Form(s) (s)which may be an OEM, a National Sales Company, a Dealer Group or a Retailer.
Data: any data, including personal data, which is uploaded to the Products or transferred to Supplier by the Customer, including any Consumer Data and/or Employee Data.
Data Protection Legislation: means:
1. to the extent that the UK GDPR applies, the law of the United Kingdom or of a part of the United Kingdom which relates to the protection of personal data; or
2. to the extent that the EU GDPR applies, the law of the European Union or any member state of the European Union to which Supplier or the Customer are subject which relates to the protection of personal data.
Dealer Group: a company operating multiple Retailers.
Employee Data: any data, including personal data, which is uploaded to the Products or transferred to Supplier by the Customer, including by any User.
EU GDPR: the General Data Protection Regulation ((EU) 2016/679), as it has effect in EU law.
OEM: an original equipment manufacturer.
Order Form(s): the Order Form(s) Supplier and signed by the Customer incorporating these Terms and Conditions and the Licensing Agreement(s) by reference.
Products: The products described within the Order Form(s), which are supplied to the Customer by the Supplier (either directly or as an authorised reseller) on a subscription basis, and which may be available in tiers known as standard, pro and plus (where applicable). The Product(s) purchased by the Customer, including the product tier, shall be as detailed in the Order Form(s)of the subscription, the supply of the Product(s) includes provision of Technical Support;
Retailer: the franchised dealer(s) identified on the Order Form(s).
Services: The services supplied to the Customer by Supplier (either directly or as an authorised reseller), as more fully detailed in the Order Form(s), which may include training, data import, data export, data cleansing, bespoke development and/or webinars, but excluding the Set-Up Service;
Third Party Software: any third-party software applications or services which Supplier supply or make available to the Customer as part of the Products (including any Additional Features) and/or Services (including any Set-Up Services), subject always to the Customer agreeing to be bound by any terms applicable to such third-party software;
Users: employees of the Customer at the Customer sites (including Head Office employees, where applicable) detailed on the Order Form(s) who are permitted to use the Products;
UK GDPR: has the meaning given to it in Section 3(1) (as supplemented by Section 205(4)) of the Data Protection Act 2018.

Data Protection
1. Supplier shall process Data on behalf of the Customer. The scope and duration, categories and purpose of the personal data processed by Supplier pursuant to this Agreement are set out in Annex A within the License Agreement(s).
2. The Customer shall own all right, title and interest in and to all of the Data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of all such Data. Supplier acknowledges and agrees that the Customer shall be the data controller of any personal data comprised in the Data. Where the Customer is an OEM or Dealer Group the parties agree that Data may be shared with Supplier either by the OEM or the Dealer Group, or by Retailers within the Customer’s group. Where this is the case, Supplier understands and acknowledges that the Retailer and an OEM / Dealer Group shall be joint data controllers of the personal data disclosed to Supplier, subject to the terms of a separate written agreement between the Retailer and the OEM/Dealer Group, as applicable.
3. The Customer’s instructions in relation to the processing of personal data comprised in the Data shall be as set out in Annex A of the Licensing Agreements. The Customer shall be entitled, in writing or in a machine-readable format (in text form*), to update, modify, amend or replace such individual instructions by notifying Supplier’s designated contact for data protection matters. The Customer shall, without undue delay, confirm in writing or in text form any instruction issued orally.
4. Both parties will comply with all applicable requirements of the Data Protection Legislation. This clause 1 is in addition to, and does not relieve, remove or replace, a party’s obligations or rights under the Data Protection Legislation.
5. Subject always to clause 1.7.2, personal data comprised in the Data may be transferred or stored outside the UK and EEA or the country where the Customer is located in order to provide the Products and/or Services (including, where applicable, any Additional Features) under the Agreement.
6. Without prejudice to the generality of clause 1.4, the Customer will ensure that it has all necessary appropriate lawful basis and notices in place to enable lawful transfer of the personal data to Supplier for the duration and purposes of the Agreement.
7. Without prejudice to the generality of clause 1.4, Supplier shall, in relation to any personal data processed by it when performing its obligations under the Agreement:
  1. Process that personal data only on the Customer’s documented written instructions unless Supplier is required by the laws of any member of the European Union and/or domestic UK Law to process such personal data (Applicable Laws). If Applicable Laws require Supplier to process such personal data, it shall tell the Customer before such processing unless those Applicable Laws prohibit it from doing so;
  2. Not transfer any personal data outside of the European Economic Area and the United Kingdom unless the following conditions are fulfilled:
    1. Supplier have provided appropriate safeguards in relation to the transfer;
    2. the data subject has enforceable rights and effective legal remedies;
    3. Supplier complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any personal data that is transferred; and
    4. Supplier complies with the Customer’s reasonable advance instructions when processing the Customer’s personal data;
  3. assist the Customer, at the Customer’s cost, in responding to any request from a data subject to enable the Customer to comply with its Data Protection Legislation obligations with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
  4. promptly notify the Customer on becoming aware of a personal data breach affecting the Customer’s personal data;
  5. at the Customer’s written request and on termination of the Agreement, delete or return the Customer’s personal data in accordance with clause 1.11 unless required by Applicable Law to store the personal data; and
  6. maintain records and information to demonstrate its compliance with this clause 1 and clause 2. Supplier shall permit the Customer, and its authorised representatives to audit and inspect its compliance with Data Protection Legislation provided always such audit and/or inspection is carried out on reasonable notice at a mutually convenient time. Any information disclosed as part of the audit / inspection shall be treated as confidential information in accordance with clause 9 of the CitNOW Group Terms and Conditions. Audits and inspections shall not be carried out more than annually unless the Customer, acting reasonably, believes Supplier has breached the Data Protection Legislation; and
  7. promptly tell the Customer if, in Supplier’s opinion, the Customer’s instructions infringe Data Protection Legislation. In such instances, Supplier shall be permitted to suspend performance on such instruction until the Customer confirmed or modifies such instruction so that it complies with Data Protection Legislation.
8. Each party shall ensure that it has in place appropriate technical and organisational measures, to protect against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage, having regard to the state of technological development and the cost of implementing any such measures.
9. The Customer consents to Supplier appointing subprocessors of personal data under the Agreement. A list of the subprocessors used by Supplier is available on each company website . Supplier confirms that it has or will enter into (either directly or through a member of the CitNOW Group) a written agreement with subprocessors incorporating terms which are substantially similar to those set out in this clause 1. Supplier shall remain fully liable for all acts or omissions of any sub processor appointed by or on behalf of Supplier pursuant to this clause 1. Where Supplier uses any subprocessors which are based outside of the UK and EEA, in a territory where an adequacy decision is not in place, it shall comply with the requirements of clause 1.7.2 before any personal data is transferred to such subprocessor. A list of any subprocessors to which this clause applies is available on Suppliers Website at all times. Supplier may appoint new subprocessors from time to time, and the Customer is advised to regularly check the websites for a list of the current subprocessors used by Supplier.
10. Third Party Claim. The Customer shall indemnify and defend Supplier at its own expense against all costs, claims damages or expenses incurred by Supplier and/or other members of the CitNOW Group or for which Supplier and/or other members of the CitNOW Group may become liable due to any failure by the Customer, the Users, the Retailers (where applicable), and/or the Customer’s employees, subcontractors or agents failure to comply with its obligations under clauses 1 and/or 2, and/or the Data Protection Legislation, as applicable.
11. Retention upon Termination. Should this Agreement be terminated for any reason, Supplier will hold the Data for a period of 60 days (or such other period as may be specified in the applicable Licensing Agreement) after termination. Supplier holds the Data for this period for the following reasons:
  1. To allow the Customer to change their mind and resume their subscription for the Product with all details, preferences and configurations still in place, if applicable; and
  2. To allow the Customer to request an export of its Data.
12. CitNOW Group. The Parties agree that the Customer’s contact information and the Customer’s use of the Products may be shared with other entities and companies within the CitNOW Group and Supplier shall procure that such entities handle any such information in accordance with the confidentiality commitments within the CitNOW Group Terms and Conditions as well as compliance with Data Sharing as defined within the applicable Privacy Laws.
Consumer Data and Employee Data
1. The parties acknowledge and agree that as Consumer Data is to be processed by Supplier on behalf of the Customer it is the Customer’s responsibility to identify and record the lawful basis for capturing and sharing the Consumer Data with Supplier. Supplier has no control of the data entered into the Product(s) by the Customers and its Users. Accordingly, the Customer shall ensure, and shall procure that all Users ensure that either:
  1. consent is obtained from all Consumers for their Consumer Data to be uploaded into the Product(s) or otherwise transferred to Supplier; or
  2. where consent is not obtained, that the Customer has clearly identified one or more other lawful basis (as set out in the Data Protection Legislation) which allow for the Consumer Data to be uploaded into the Product(s) or otherwise transferred to Supplier.
2. The Customer shall keep a written record of such lawful basis and provide evidence of such lawful basis for processing to Supplier on request.
3. It is the Customer’s responsibility, irrespective of whether the Customer is an OEM, a Dealer Group or a Retailer, to ensure compliance with clauses 2.1 and 2.2. Supplier accepts no responsibility or liability to the Customer and/or any Consumer for the Customer failing to obtain the necessary authority and permission to share Consumer Data with Supplier. Where a Dealer Group or an OEM have entered into this Agreement in order to purchase subscriptions to use the Products on behalf of its Retailers, it is the Dealer Group / OEM’s responsibility to procure each Retailer in its group has obtained the necessary authorisation and permission before any Consumer Data is uploaded to the Product or otherwise transferred to Supplier.
4. he Customer shall indemnify Supplier for any losses, costs, claims, damages or expenses incurred by Supplier and/or other members of the CitNOW Group caused by disclosure of Consumer Data by the Customer without the necessary authorisation and permission being obtained in advance of disclosure.
5. Except as provided in Data Protection Legislation, Supplier shall not use or allow use of the Consumer Data other than to fulfil its obligations under the Agreement and/or in accordance with the Customer’s written instructions.
6. Supplier confirms that all employees involved in the processing of the Consumer Data shall be prohibited from processing the Consumer Data outside the scope of the instructions detailed in clause 2.5 above. Supplier confirms that any person entitled to process Consumer Data is bound by a contractual commitment to confidentiality or is subject to an appropriate statutory obligation to confidentiality.
7. If either party becomes aware of any unauthorised or unlawful processing of the Consumer Data or if the Consumer Data is lost or destroyed, or if either party learns or suspects of a personal data breach affecting the Consumer Data has occurred, that party shall promptly notify the other party and fully cooperate with the other party to take the necessary remedial action as soon as practicable.
8. Where Employee Data is uploaded by the Customer (as controller) into the Product it shall be accessible by Supplier and, in this circumstance only, Supplier shall act as a joint controller of the Employee Data. Both the Customer and Supplier shall process the Employee Data to the extent necessary to enable fulfilment of their contractual obligations under the Agreement.
General
1. Survival of Clauses. If any provision of this Data processing Addendum is found to be unenforceable, the remaining provisions shall remain valid.
2. Governing Law. The Agreement is governed by the law applicable to the entity as named on the Order Form(s) and this Data processing Addendum and shall be subject to the exclusive jurisdiction to the courts of which said entity is registered.
3. Changes. Notwithstanding anything else to the contrary in this Data processing Agreement and without prejudice to the clauses held within, CitNOW Group and Supplier reserve the right to make any updates and changes to this Data Processing Addendum and, at all times shall the latest version be in effect between Customer and the Supplier. No changes shall be introduced which materially reduce the obligations as set on Supplier as a Processor to the Customer under the applicable Privacy Laws.